Top tips 
for charities 


Data protection compliance should New employees must receive 


be one of the main priorities of an comprehensive data protection training 
© organisation. One way to know how to explain how they should store and 
well you're doing is by setting Key handle personal information. Refresher 
Performance Indicators (KPIs) that training should also be provided regularly 
can be measured regularly. for existing staff with up to date 
information, reminding colleagues about 


their data protection responsibilities. 


Experience shows that organisations Udald USC 


Mann find it much easier to deal with 
| unexpected situations when they have a Organisations must not keep personal 


plan in place that has been tested data for longer than is necessary. 
before. Make sure everyone in the Have a retention policy in place that 
organisation know their roles and what sets out when and how personal 
procedures are in place in case of an information needs to be reviewed, 
incident involving personal data. Having deleted or anonymised. People can 
a reporting policy is very important, request to have their data erased, 
including an incident log or a method so this should also be part of your 


of rating the risks associated with a 


retention policy. 
data breach. 


People should know what organisations are doing with their information and who it will be shared 
with. This is a legal requirement (as well as established best practice), so it’s important you are open 
and honest with people about how their data will be used. Remember that for consent to be valid it 
must be fully informed, freely given and not bundled together with general terms and conditions. 


More guidance available at 


ico.org.uk/charity 


